mermet: wg-intra: enable courge
[sourcephile-nix.git] / hosts / losurdo / acme / autogeree.net.nix
index 08be4abbb93ab308493abdf12995baef10870c64..7ea8b56d2803b73c313e368d8f5f440121ff3da3 100644 (file)
@@ -1,56 +1,55 @@
-{ pkgs, lib, config, inputs, hosts, hostName, ... }:
+{ pkgs, lib, config, inputs, hosts, hostName, info, ... }:
 let
   domain = "autogeree.net";
-  domainID = lib.replaceStrings ["."] ["_"] domain;
+  domainID = lib.replaceStrings [ "." ] [ "_" ] domain;
   inherit (config.users) groups;
 in
 {
-networking.nftables.ruleset = ''
-  table inet filter {
-    # ACME DNS-01 challenge and Gandi DNS
-    set output-net-lego-ipv4 {
-      type ipv4_addr
-      elements = {
-        ${hosts.mermet._module.args.ipv4},
-        217.70.177.40
+  networking.nftables.ruleset = ''
+    table inet filter {
+      # ACME DNS-01 challenge and Gandi DNS
+      set output-net-lego-ipv4 {
+        type ipv4_addr
+        elements = {
+          ${hosts.mermet._module.args.ipv4},
+          ${info.gandi.dns.secondary.ns.ipv4}
+        }
       }
-    }
-    set output-net-lego-ipv6 {
-      type ipv6_addr
-      elements = {
-        2001:4b98:d:1::40
+      set output-net-lego-ipv6 {
+        type ipv6_addr
+        elements = {
+          ${info.gandi.dns.secondary.ns.ipv6}
+        }
       }
     }
-  }
-'';
-security.acme.certs."${domain}" = {
-  email = "root+letsencrypt@${domain}";
-  extraDomainNames = [
-    "*.${domain}"
-  ];
-  group = groups.acme.name;
-  keyType = "rsa4096";
-  dnsProvider = "rfc2136";
-  # ns6.gandi.net takes roughly 5min to update
-  # hence lego's RFC2136_PROPAGATION_TIMEOUT=1000
-  #dnsPropagationCheck = false;
-  credentialsFile = "/dev/null";
-  validMinDays = 10;
-};
-systemd.services."acme-${domain}" = {
-  serviceConfig.LoadCredentialEncrypted =
-    [ "${domain}.tsig:${inputs.self}/hosts/${hostName}/acme/${domain}.tsig.cred" ];
-  environment = {
-    RFC2136_TSIG_SECRET = "%d/${domain}.tsig";
-    RFC2136_NAMESERVER = "ns.${domain}:53";
-    RFC2136_TSIG_ALGORITHM = "hmac-sha256.";
-    RFC2136_TSIG_KEY = "acme_${domainID}";
-    RFC2136_PROPAGATION_TIMEOUT = "1000";
-    RFC2136_POLLING_INTERVAL = "30";
-    RFC2136_SEQUENCE_INTERVAL = "30";
-    RFC2136_DNS_TIMEOUT = "1000";
-    RFC2136_TTL = "1";
+  '';
+  security.acme.certs."${domain}" = {
+    email = "root+letsencrypt@${domain}";
+    extraDomainNames = [
+      "*.${domain}"
+    ];
+    group = groups.acme.name;
+    keyType = "rsa4096";
+    dnsProvider = "rfc2136";
+    # ns6.gandi.net takes roughly 5min to update
+    # hence lego's RFC2136_PROPAGATION_TIMEOUT=1000
+    #dnsPropagationCheck = false;
+    credentialsFile = pkgs.writeText "acme-credentials-${domain}" ''
+      RFC2136_NAMESERVER=ns.${domain}:53
+      RFC2136_TSIG_ALGORITHM=hmac-sha256.
+      RFC2136_TSIG_KEY=acme_${domainID}
+      RFC2136_PROPAGATION_TIMEOUT=1000
+      RFC2136_POLLING_INTERVAL=30
+      RFC2136_SEQUENCE_INTERVAL=30
+      RFC2136_DNS_TIMEOUT=1000
+      RFC2136_TTL=1
+    '';
+  };
+  systemd.services."acme-${domain}" = {
+    serviceConfig.LoadCredentialEncrypted = [
+      "${domain}.tsig:${./. + "/${domain}.tsig.cred"}"
+    ];
+    environment.RFC2136_TSIG_SECRET_FILE = "%d/${domain}.tsig";
+    after = [ "unbound.service" ];
   };
-  after = [ "unbound.service" ];
-};
 }